Comments on: More malware from ircer.pl http://www.teamfurry.com/wordpress/2007/03/31/more-malware-from-ircerpl/ About malware, packers and reverse engineering Fri, 21 Nov 2008 07:18:13 +0000 http://wordpress.org/?v=2.2.3 By: MAD http://www.teamfurry.com/wordpress/2007/03/31/more-malware-from-ircerpl/#comment-103 MAD Sat, 26 May 2007 03:39:45 +0000 http://www.teamfurry.com/wordpress/2007/03/31/more-malware-from-ircerpl/#comment-103 A new release, 8 May 2007 GTM+1, dropper file is download via website, the files are now packed with PEC2. Source: http://secubox.aldria.com/topic-post1867.html ______________________________________________________________ .text >> 0000a228 ( 1000a228 ) >> SeDebugPrivilege .text >> 0000a23c ( 1000a23c ) >> explorer.exe .text >> 0000a24c ( 1000a24c ) >> WINLOGON.EXE .text >> 0000a25c ( 1000a25c ) >> rundll32.exe .text >> 0000a270 ( 1000a270 ) >> SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings .text >> 0000a2b4 ( 1000a2b4 ) >> Time .text >> 0000a2bc ( 1000a2bc ) >> g_InstallPath .text >> 0000a2cc ( 1000a2cc ) >> g_InstallDLL .text >> 0000a2dc ( 1000a2dc ) >> xWovqdo .text >> 0000a2e4 ( 1000a2e4 ) >> Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ .text >> 0000a324 ( 1000a324 ) >> Logon .text >> 0000a32c ( 1000a32c ) >> Logoff .text >> 0000a338 ( 1000a338 ) >> SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks .text >> 0000a380 ( 1000a380 ) >> SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ .text >> 0000a3cc ( 1000a3cc ) >> SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ .text >> 0000a3fc ( 1000a3fc ) >> MSServer .text >> 0000a408 ( 1000a408 ) >> CLSID\ .text >> 0000a410 ( 1000a410 ) >> Asynchronous .text >> 0000a420 ( 1000a420 ) >> DllName .text >> 0000a428 ( 1000a428 ) >> Impersonate .text >> 0000a434 ( 1000a434 ) >> Logon .text >> 0000a43c ( 1000a43c ) >> Logoff .text >> 0000a448 ( 1000a448 ) >> awx_mutant .text >> 0000a454 ( 1000a454 ) >> AD-AWARE.EXE .text >> 0000a464 ( 1000a464 ) >> %08x .text >> 0000a470 ( 1000a470 ) >> Kernel32 .text >> 0000a47c ( 1000a47c ) >> LoadLibraryA .text >> 0000a48c ( 1000a48c ) >> PSAPI.dll .text >> 0000a498 ( 1000a498 ) >> EnumProcessModules .text >> 0000a4ac ( 1000a4ac ) >> GetModuleFileNameExA .text >> 0000a4c4 ( 1000a4c4 ) >> psapi.dll .text >> 0000a4d0 ( 1000a4d0 ) >> %s\tmp%08x .text >> 0000a4dc ( 1000a4dc ) >> rundll32.exe %s,Activate .text >> 0000a4f8 ( 1000a4f8 ) >> HookProc .text >> 0000a504 ( 1000a504 ) >> %s\%s .text >> 0000b620 ( 1000b620 ) >> http://65.243.103.80/80 .text >> 0000b638 ( 1000b638 ) >> SOFTWARE\Microsoft\Installer .text >> 0000b65c ( 1000b65c ) >> Identities .text >> 0000b668 ( 1000b668 ) >> URLDownloadToFileA .text >> 0000b67c ( 1000b67c ) >> urlmon.dll .text >> 0000b690 ( 1000b690 ) >> uid= .text >> 0000b698 ( 1000b698 ) >> %s/%s .text >> 0000b6a8 ( 1000b6a8 ) >> SOFTWARE\Microsoft\zxc5 .text >> 0000b6c0 ( 1000b6c0 ) >> 0123456789ABCDEFopen .text >> 0000b6dc ( 1000b6dc ) >> ShellExecuteA .text >> 0000b6ec ( 1000b6ec ) >> shell32.dll .text >> 0000b700 ( 1000b700 ) >> %s/%s?i=%s&v=%x_%x_%x_%x_%s&g=%s&t=%04i_%02i_%02i_%02i_%02i&d=%i%s&a=%i .text >> 0000b748 ( 1000b748 ) >> &s=1 .text >> 0000b750 ( 1000b750 ) >> &m=1 .text >> 0000b758 ( 1000b758 ) >> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) ______________________________________________________________ Regards, A new release, 8 May 2007 GTM+1, dropper file is download via website, the files are now packed with PEC2.

Source: http://secubox.aldria.com/topic-post1867.html

______________________________________________________________
.text >> 0000a228 ( 1000a228 ) >> SeDebugPrivilege
.text >> 0000a23c ( 1000a23c ) >> explorer.exe
.text >> 0000a24c ( 1000a24c ) >> WINLOGON.EXE
.text >> 0000a25c ( 1000a25c ) >> rundll32.exe
.text >> 0000a270 ( 1000a270 ) >> SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings
.text >> 0000a2b4 ( 1000a2b4 ) >> Time
.text >> 0000a2bc ( 1000a2bc ) >> g_InstallPath
.text >> 0000a2cc ( 1000a2cc ) >> g_InstallDLL
.text >> 0000a2dc ( 1000a2dc ) >> xWovqdo
.text >> 0000a2e4 ( 1000a2e4 ) >> Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
.text >> 0000a324 ( 1000a324 ) >> Logon
.text >> 0000a32c ( 1000a32c ) >> Logoff
.text >> 0000a338 ( 1000a338 ) >> SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
.text >> 0000a380 ( 1000a380 ) >> SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
.text >> 0000a3cc ( 1000a3cc ) >> SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
.text >> 0000a3fc ( 1000a3fc ) >> MSServer
.text >> 0000a408 ( 1000a408 ) >> CLSID\
.text >> 0000a410 ( 1000a410 ) >> Asynchronous
.text >> 0000a420 ( 1000a420 ) >> DllName
.text >> 0000a428 ( 1000a428 ) >> Impersonate
.text >> 0000a434 ( 1000a434 ) >> Logon
.text >> 0000a43c ( 1000a43c ) >> Logoff
.text >> 0000a448 ( 1000a448 ) >> awx_mutant
.text >> 0000a454 ( 1000a454 ) >> AD-AWARE.EXE
.text >> 0000a464 ( 1000a464 ) >> %08x
.text >> 0000a470 ( 1000a470 ) >> Kernel32
.text >> 0000a47c ( 1000a47c ) >> LoadLibraryA
.text >> 0000a48c ( 1000a48c ) >> PSAPI.dll
.text >> 0000a498 ( 1000a498 ) >> EnumProcessModules
.text >> 0000a4ac ( 1000a4ac ) >> GetModuleFileNameExA
.text >> 0000a4c4 ( 1000a4c4 ) >> psapi.dll
.text >> 0000a4d0 ( 1000a4d0 ) >> %s\tmp%08x
.text >> 0000a4dc ( 1000a4dc ) >> rundll32.exe %s,Activate
.text >> 0000a4f8 ( 1000a4f8 ) >> HookProc
.text >> 0000a504 ( 1000a504 ) >> %s\%s
.text >> 0000b620 ( 1000b620 ) >> http://65.243.103.80/80
.text >> 0000b638 ( 1000b638 ) >> SOFTWARE\Microsoft\Installer
.text >> 0000b65c ( 1000b65c ) >> Identities
.text >> 0000b668 ( 1000b668 ) >> URLDownloadToFileA
.text >> 0000b67c ( 1000b67c ) >> urlmon.dll
.text >> 0000b690 ( 1000b690 ) >> uid=
.text >> 0000b698 ( 1000b698 ) >> %s/%s
.text >> 0000b6a8 ( 1000b6a8 ) >> SOFTWARE\Microsoft\zxc5
.text >> 0000b6c0 ( 1000b6c0 ) >> 0123456789ABCDEFopen
.text >> 0000b6dc ( 1000b6dc ) >> ShellExecuteA
.text >> 0000b6ec ( 1000b6ec ) >> shell32.dll
.text >> 0000b700 ( 1000b700 ) >> %s/%s?i=%s&v=%x_%x_%x_%x_%s&g=%s&t=%04i_%02i_%02i_%02i_%02i&d=%i%s&a=%i
.text >> 0000b748 ( 1000b748 ) >> &s=1
.text >> 0000b750 ( 1000b750 ) >> &m=1
.text >> 0000b758 ( 1000b758 ) >> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
______________________________________________________________

Regards,

]]> By: toni http://www.teamfurry.com/wordpress/2007/03/31/more-malware-from-ircerpl/#comment-45 toni Mon, 30 Apr 2007 14:35:16 +0000 http://www.teamfurry.com/wordpress/2007/03/31/more-malware-from-ircerpl/#comment-45 Glad the entry was of help. I'm not aware of all the ways they can push that malware to victims. You might want to check for any suspicious connections on your computer. Some of the DNS names they've used are: zief.pl proxima.ircgalaxy.pl The botnet C&C has usually been at port 65520. Glad the entry was of help. I’m not aware of all the ways they can push that malware to victims. You might want to check for any suspicious connections on your computer. Some of the DNS names they’ve used are:
zief.pl
proxima.ircgalaxy.pl

The botnet C&C has usually been at port 65520.

]]> By: Bob http://www.teamfurry.com/wordpress/2007/03/31/more-malware-from-ircerpl/#comment-44 Bob Mon, 30 Apr 2007 13:33:43 +0000 http://www.teamfurry.com/wordpress/2007/03/31/more-malware-from-ircerpl/#comment-44 Thanks. This IP address just flashed up on my firewall. AVG & Windows Defender don't pick up the dll as anything bad, but I found the offending dll (mine was called ssqromk.dll) and entries in the registry (winlogon notify) and clsid {4FFADED8-CE19-4FC5-9547-7881FDB5D120}. Registered as a Browser Help object quickly picked up in Ace Utilities. Thanks. This IP address just flashed up on my firewall. AVG & Windows Defender don’t pick up the dll as anything bad, but I found the offending dll (mine was called ssqromk.dll) and entries in the registry (winlogon notify) and clsid {4FFADED8-CE19-4FC5-9547-7881FDB5D120}. Registered as a Browser Help object quickly picked up in Ace Utilities.

]]> By: Heavy http://www.teamfurry.com/wordpress/2007/03/31/more-malware-from-ircerpl/#comment-29 Heavy Mon, 23 Apr 2007 22:18:27 +0000 http://www.teamfurry.com/wordpress/2007/03/31/more-malware-from-ircerpl/#comment-29 the file can contains more then 5 random digits... this is bull shit has some stupid modifications... for example, in my system it was ddcdaay.dll ... i remove it under system self mode, after dissalow permitions to write anybody to this registry path (like dll name) -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcdaay the file can contains more then 5 random digits… this is bull shit has some stupid modifications… for example, in my system it was ddcdaay.dll … i remove it under system self mode, after dissalow permitions to write anybody to this registry path (like dll name) — HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcdaay

]]> By: Toni http://www.teamfurry.com/wordpress/2007/03/31/more-malware-from-ircerpl/#comment-23 Toni Sat, 21 Apr 2007 06:49:12 +0000 http://www.teamfurry.com/wordpress/2007/03/31/more-malware-from-ircerpl/#comment-23 The files are dropped into the sysdir (C:\windows\system32 for most systems) under a 5 digit random character filename ending in .dll The files are dropped into the sysdir (C:\windows\system32 for most systems) under a 5 digit random character filename ending in .dll

]]> By: Rod http://www.teamfurry.com/wordpress/2007/03/31/more-malware-from-ircerpl/#comment-21 Rod Thu, 19 Apr 2007 20:12:23 +0000 http://www.teamfurry.com/wordpress/2007/03/31/more-malware-from-ircerpl/#comment-21 I just found a cookie on my machine referencing 65.243.103.80 Any names available yet as to the files it drops? I just found a cookie on my machine referencing 65.243.103.80

Any names available yet as to the files it drops?

]]>